Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.
COURSE of the MONTH
12 days, 2 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How to secure folders on IIS/ASP.NET?
Posted on 2011-09-07
Hello,
I have ASP.net web application and I'm using forms based authentication and role based authorization using web.config.
Now I need to use role based authorization to limit access to subfolders. I know i can do it by placing modified web.config in subfolders
BUT
in this subfolders are .html or .jpg or .gif files. I need to limit access to those files.
How can I do it?
Best Regards
Fooky
I have ASP.net web application and I'm using forms based authentication and role based authorization using web.config.
Now I need to use role based authorization to limit access to subfolders. I know i can do it by placing modified web.config in subfolders
BUT
in this subfolders are .html or .jpg or .gif files. I need to limit access to those files.
How can I do it?
Best Regards
Fooky
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
7-
3
11 Comments
I believe this is done is IIS. There's a solution here but not sure if its overkill. I'm afraid I can't remember how I did this it was a long time ago... http://forums.asp.net/t/1434944.aspx/1
Pasted from above:
1. Open the IIS manager console.
2. Under the Sites node, right click the web site or the folder which contains the file you want to protect.
3. In the Features View group by “Area”, under the “IIS” Section, click “Handler Mappings”
4. In the “Actions” frame, on the right side of the console, click “Add Managed Handler…”
5. In the prompted Dialog, fill the text boxes, and Request Path: *; Type: System.Web.DefaultHttpHand
6. Click ok, and restart IIS 7.0.
1. Open the IIS manager console.
2. Under the Sites node, right click the web site or the folder which contains the file you want to protect.
3. In the Features View group by “Area”, under the “IIS” Section, click “Handler Mappings”
4. In the “Actions” frame, on the right side of the console, click “Add Managed Handler…”
5. In the prompted Dialog, fill the text boxes, and Request Path: *; Type: System.Web.DefaultHttpHand
6. Click ok, and restart IIS 7.0.
Hi,
I did: ID:36501142Author:Rouchie
and now i have error like this:
Best Regards
FooKy
I did: ID:36501142Author:Rouchie
and now i have error like this:
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.PlatformNotSupportedException: The DefaultHttpHandler.BeginProcessRequest method is not supported by IIS integrated pipeline mode.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[PlatformNotSupportedException: The DefaultHttpHandler.BeginProcessRequest method is not supported by IIS integrated pipeline mode.]
System.Web.DefaultHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback callback, Object state) +2877787
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8690594
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Best Regards
FooKy
IF you're only using IIS7, remove the addition added before, then following the steps here:
http://weblogs.asp.net/hosamkamel/archive/2008/12/15/secure-file-download-area-using-iis-6-0-and-iis-7-0.aspx
http://weblogs.asp.net/hosamkamel/archive/2008/12/15/secure-file-download-area-using-iis-6-0-and-iis-7-0.aspx
For IIS 7.0 (Integrated Pipeline mode):
The default configuration for all managed modules shipped with IIS 7.0, including the Forms Authentication and URL Authorization modules, uses a precondition so that these modules only apply to content that an (ASP.NET) handler manages. This is done for backwards compatibility reasons. (as mentioned in For IIS 6.0 section)
By removing the precondition, we make the desired managed module execute for all requests to the application, regardless of content. This is necessary in order to protect our static files, and any other application content with Forms-based authentication.
To do this, open the application's web.config file located in the %systemdrive%\inetpub\wwwroot directory, and paste the following lines immediately below the first <configuration> element:
<system.webServer> <modules> <remove name="FormsAuthenticationModule" /> <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" /> <remove name="UrlAuthorization" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <remove name="DefaultAuthentication" /> <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" /> </modules> </system.webServer>
Hi,
Sorry for delay in response.
I've tried to use this, and I can limit access to authenticated users only but I cannot get it to work with roles
So if I have
<allow roles="test1">
<deny users="*">
I can access test.apsx (of course after authentication ) and i can display in this file all roles i belong to
but if i try access test.html then i'm always redirected to login.apsx
it seams that when I'm accessing html files I do not have information about roles ?
any help would appreciated
Best regards
Fooky
Sorry for delay in response.
I've tried to use this, and I can limit access to authenticated users only but I cannot get it to work with roles
So if I have
<allow roles="test1">
<deny users="*">
I can access test.apsx (of course after authentication ) and i can display in this file all roles i belong to
but if i try access test.html then i'm always redirected to login.apsx
it seams that when I'm accessing html files I do not have information about roles ?
any help would appreciated
Best regards
Fooky
If you specify the page explicitly it should certainly work:
<location path="/enter/your/path/to/test.html">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="test1"/>
</authorization>
</system.web>
</location>
Don't forget the rules you specify in web.config are inherited, so rules you put before/after this will affect what ASP.NET does. Later rules take precedence over earlier rules, so try putting the above code last in web.config to ensure it gets treated with the highest priority.
Look under the common mistakes section here for more info:
http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx
http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx
Featured Post
Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash"
After Shake : http://www.videocopilot.net/presets/after_shake/
All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster.
To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month12 days, 2 hours left to enroll
752 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.